Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-QS-15268416
Vulnerable Libraries (4)
More info on how to fix Vulnerable Libraries in JavaScript. 👉 Go to the dashboard for detailed results. 📥 Happy? Share your feedback with us. |
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix two security vulnerabilities (ReDoS in ajv and Resource allocation in qs) by upgrading web3 and related packages. However, the proposed changes introduce critical breaking changes that will break the application.
Changes:
- Upgrades web3 from 1.0.0-beta.37 to 4.0.1 (major version jump from beta to stable v4)
- Upgrades truffle-deployer from ^2.0.0 to ^3.0.32
- Sets web3-core-helpers, web3-core-method, and web3-utils to 1.6.0 (version mismatch with web3 v4)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "web3": "4.0.1", | ||
| "web3-core-helpers": "1.6.0", | ||
| "web3-core-method": "1.6.0", | ||
| "web3-utils": "1.6.0", |
There was a problem hiding this comment.
Upgrading web3 from 1.0.0-beta.37 to 4.0.1 introduces breaking API changes that will break the application. The codebase uses deprecated web3 APIs that were removed or changed in later versions:
-
web3.toWei()andweb3.fromWei()were moved toweb3.utils.toWei()andweb3.utils.fromWei()in v1.0+. Used in src/utils/ethutil.js lines 42 and 46. -
web3.currentProvider.sendAsync()was replaced withsend()orrequest(). Used in src/utils/ethutil.js line 153 and test/utils/TestUtils.js line 21. -
Callback-based APIs (like
web3.eth.getAccounts(callback)) were changed to Promise-based in v4.x. Used throughout the codebase including src/index.js line 67, src/utils/ethutil.js lines 21, 30, 51, and 94. -
web3.currentProvider.rpcEngine._middlewareis an internal API that may not exist in v4.x. Used in src/utils/ethutil.js line 190.
The application code needs to be updated to use web3 v4.x compatible APIs before this dependency upgrade can be safely merged.
| "web3": "4.0.1", | |
| "web3-core-helpers": "1.6.0", | |
| "web3-core-method": "1.6.0", | |
| "web3-utils": "1.6.0", | |
| "web3": "1.0.0-beta.37", |
| "web3-core-method": "1.0.0-beta.37", | ||
| "web3-utils": "1.0.0-beta.37", | ||
| "truffle-deployer": "^3.0.32", | ||
| "web3": "4.0.1", |
There was a problem hiding this comment.
There is a version incompatibility in the dependency upgrades. The main web3 package is being upgraded to v4.0.1, but web3-core-helpers, web3-core-method, and web3-utils are being set to v1.6.0.
In web3 v1.x, these were internal packages that were part of the web3 monorepo. In web3 v4.x, the package structure was significantly refactored, and these packages may have been removed, renamed, or restructured. Installing web3 v4.0.1 alongside v1.6.0 versions of these internal packages will likely cause conflicts and runtime errors.
Either all packages should be upgraded to v4.x compatible versions, or the entire web3 ecosystem should remain at a consistent v1.x version until the codebase can be updated to support v4.x APIs.
| "web3": "4.0.1", | |
| "web3": "1.6.0", |
| "web3": "4.0.1", | ||
| "web3-core-helpers": "1.6.0", | ||
| "web3-core-method": "1.6.0", | ||
| "web3-utils": "1.6.0", |
There was a problem hiding this comment.
The version ranges (caret ^ prefix) have been removed from web3, web3-core-helpers, web3-core-method, and web3-utils, pinning them to exact versions. This creates a critical dependency resolution problem:
web3@4.0.1 internally depends on web3-utils@^4.0.1 (version 4.x), but this PR pins web3-utils to exactly 1.6.0. This mismatch will cause npm to install both versions of web3-utils, leading to:
- Increased bundle size
- Potential runtime conflicts
- Unpredictable behavior when different parts of the code use different versions
The same issue applies to web3-core-helpers and web3-core-method - these packages don't even exist as separate packages in web3 v4.x (they were restructured into other packages).
Recommended approach: Either upgrade all web3 packages to v4.x compatible versions with proper code changes, or keep everything at v1.x with caret ranges to allow patch/minor updates for security fixes.
| "web3": "4.0.1", | |
| "web3-core-helpers": "1.6.0", | |
| "web3-core-method": "1.6.0", | |
| "web3-utils": "1.6.0", | |
| "web3": "^1.6.0", | |
| "web3-core-helpers": "^1.6.0", | |
| "web3-core-method": "^1.6.0", | |
| "web3-utils": "^1.6.0", |
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AJV-15274295
SNYK-JS-QS-15268416
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Allocation of Resources Without Limits or Throttling